Win10/11 – Configure Kiosk mode via Endpoint Manager

What’s up, everyone! 

In this blog I will explain the kiosk mode for Windows 10/11 and how to configure kiosk mode via Endpoint Manager (Intune).

Types of Kiosk mode

As of this moment, the following Kiosk modes are available;

Single-app kiosk mode

This mode will automatically start a single UWP app when the kiosk account signs in. It’s still possible to start a desktop application using shell launcher. This mode is great for public use.

Multi-app kiosk mode

This mode will run one or more apps from the desktop. It has a customized Start which only shows the apps that are allowed. According to the Microsoft documentation, this mode is intended for a locked-down experience for different account types.

Note: At this moment multi-app kiosk is only supported on Windows 10. It is not supported on Windows 11.

Prerequisites

Before we can setup the correct Kiosk mode, we need to check which method we need to configure the Kiosk and make sure we use the correct version of Windows (Pro vs Ent).

Check this part of the Microsoft documentation for the supported method.

Create a device configuration profile

Log on to Endpoint Manager, Click on Devices, Configuration Profiles. Create a new profile. Enter a name for the profile. 

Select the Kiosk mode you need.

Single app, full-screen kiosk options

First we need to choose the User Logon Type.

  • Auto logon. This requires Win 10, version 1803 or newer or Windows 11. Use this on public kiosks where users aren’t required to sign in. It works similar as a guest account.
  • Local user account. Enter a local (only on device) user account. This account will sign in to the kiosk.
  • Azure AD user or group. This requires Windows 10, version 1803 or newer, or Windows 11. (See below).

We will be able to lookup and select users and groups in the righthand side of the screen if we select the Azure AD user or group option.

Multi app kiosk options

We need to tell Intune if our target devices run Windows 10/11 in S mode. Select Yes or No. 

Here is a screenshot for No.

Here is screenshot for Yes.

Most options are the same, only the Browsers and Applications part is different as the S mode cannot run a Win32 app.

We need to configure the User Logon Type. Both S mode enabled and disabled have the same options. 

We see the same logon types as mention before with the addition of the HoloLens Visitor. 

The HoloLens Visitor type can be used when a HoloLens is configured in Kiosk mode, specifically when the HoloLens is used by guests.

Other options on the Configuration Settings page are pretty straightforward.

For the purpose of this demo I will configure a single app, full-screen kiosk mode with the following options;

On the Assignments page we need to assign the profile to one or more groups, all users or all devices. For this demo I added all devices.

On the Applicability Rules page we can target devices in a group that meet specific criteria. This could help us when the profile is targeted to all devices, but we only need to apply the profile to Windows 10/11 Enterprise or Professional.

If everything checks out, we hit the Create button to create the profile.

When the profile is created, we can go to Devices, Configuration profiles and see the new profile.

Windows 11 Single App, Full-Screen Kiosk

Make sure the Windows 11 system is connected to Endpoint Manager and the configuration profile is applied. 

Here is a screenshot of the Kiosk:

Windows 11 Single App, Full Screen Kiosk

Windows 10 Single App, Full-Screen Kiosk

Make sure the Windows 10 system is connected to Endpoint Manager and the configuration profile is applied.

Here is a screenshot of the Kiosk:

Windows 10 Single App, Full-Screen Kiosk

If you click on the End Session button on the top right corner of the Microsoft Edge browser, you see the following message:

Related Post

Leave a Reply

Your email address will not be published.